T1137.003 Microsoft Sentinel · KQL

Detect Outlook Forms in Microsoft Sentinel

Adversaries abuse Microsoft Outlook custom forms to achieve persistence. Custom forms are stored in the user's mailbox and are loaded when Outlook starts. A malicious form containing VBScript or JScript executes when an adversary sends a specially crafted email to the victim. The Ruler tool automates this technique. Forms are stored in the mailbox itself, making them invisible to standard endpoint file monitoring and surviving OS reinstalls.

MITRE ATT&CK

Tactic
Persistence
Technique
T1137 Office Application Startup
Sub-technique
T1137.003 Outlook Forms
Canonical reference
https://attack.mitre.org/techniques/T1137/003/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1137.003 — Outlook Forms persistence detection
// Forms are stored in the mailbox, but execution leaves process traces
// Part 1: Detect Outlook spawning unexpected child processes (form execution)
let OutlookChildren = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "outlook.exe"
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe",
                      "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe",
                      "msiexec.exe", "wmic.exe", "explorer.exe")
| extend DetectionType = "Outlook Child Process"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 2: Detect Ruler tool usage (automates Outlook forms attack)
let RulerActivity = DeviceProcessEvents
| where Timestamp > ago(24h)
| where ProcessCommandLine has_any ("ruler", "--forms", "--homepage", "--target", "--ruler")
    or FileName =~ "ruler.exe"
| extend DetectionType = "Ruler Tool Execution"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 3: Detect network connections from Outlook to Exchange/MAPI after form trigger
let OutlookPostExec = DeviceNetworkEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName =~ "outlook.exe"
| where RemotePort in (80, 443, 445, 4444, 8080, 8443)
| where RemoteIPType == "Public"
| extend DetectionType = "Outlook External Network Connection"
| project Timestamp, DeviceName, AccountName, RemoteIP, RemotePort, RemoteUrl,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
union OutlookChildren, RulerActivity, OutlookPostExec
| sort by Timestamp desc
high severity medium confidence

Three-part detection for Outlook Forms persistence. Part 1 detects Outlook spawning shell interpreters (cmd, PowerShell, wscript) indicating form VBScript/JScript code execution. Part 2 detects the Ruler tool which automates Outlook Forms attacks (used in red team and real attacks). Part 3 flags unusual outbound network connections from outlook.exe to public IPs, which can indicate C2 triggered by a malicious form receiving an email.

Data Sources

Process: Process CreationNetwork Traffic: Network Connection CreationMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEventsDeviceNetworkEvents

False Positives & Tuning

  • Legitimate Outlook add-ins or plugins that spawn helper processes (e.g., CRM integrations, document management systems)
  • IT helpdesk tools that connect to Exchange via Outlook for automation purposes
  • Security awareness training platforms that send test phishing emails (should not cause child processes in normal operation)
  • Outlook integration with Teams, Slack, or other collaboration tools spawning child processes for notifications
Download portable Sigma rule (.yml)

Other platforms for T1137.003

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Test Outlook Child Process Detection (Simulate Form Execution)

    Expected signal: Sysmon Event ID 1: Process Create with Image=cmd.exe, CommandLine containing 'whoami'. Parent process will be powershell.exe in this simulation (not outlook.exe), but the pattern of Office app spawning cmd.exe is what the detection tests.

  2. Test 2Ruler Tool Form Installation (Controlled Test)

    Expected signal: If actually executed: Sysmon Event ID 1 with Image=ruler.exe, Sysmon Event ID 3 with network connection to Exchange EWS endpoint on port 443. Security Event ID 4624 for EWS authentication.

  3. Test 3Check for Malicious Outlook Forms via PowerShell EWS

    Expected signal: Sysmon Event ID 3: Network connection from powershell.exe to Exchange server on port 443. Security Event ID 4624 for EWS authentication (Kerberos or NTLM).

Last updated: 2026-04-18 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1137.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1137Office Application Startup

Related Sub-techniques

T1137.001Office Template MacrosT1137.002Office TestT1137.004Outlook Home PageT1137.005Outlook RulesT1137.006Add-ins

Related Techniques

T1137Office Application StartupT1137.004Outlook Home PageT1137.005Outlook RulesT1114.002Remote Email CollectionT1059.005Visual BasicT1021.002SMB/Windows Admin Shares

Same Tactic: Persistence

Popular Detections